bin/175213: bsdgrep(1) segfaults upon malicious input
Mark Johnston
markj at freebsd.org
Sun Jan 27 21:50:01 UTC 2013
The following reply was made to PR bin/175213; it has been noted by GNATS.
From: Mark Johnston <markj at freebsd.org>
To: bug-followup at FreeBSD.org, deeptech71 at gmail.com
Cc:
Subject: Re: bin/175213: bsdgrep(1) segfaults upon malicious input
Date: Sun, 27 Jan 2013 09:41:33 -0500
--ReaqsoxgOBHFXBhH
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
The attached patch should fix the problem. The bounds-checking code in
IS_OUT_OF_BOUNDS is not quite right; based on the code in SHIFT, (j - 1)
or (j + fg->len) must be valid indices into str_byte (depending on
whether a reversed search is being done).
I have a little program which reproduces this problem on my machine;
it's posted here: http://people.freebsd.org/~markj/prs/175213/
Thanks,
-Mark
--ReaqsoxgOBHFXBhH
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment; filename="bsdgrep_bounds.diff"
diff --git a/usr.bin/grep/regex/tre-fastmatch.c b/usr.bin/grep/regex/tre-fastmatch.c
index b7a7c91..e363a28 100644
--- a/usr.bin/grep/regex/tre-fastmatch.c
+++ b/usr.bin/grep/regex/tre-fastmatch.c
@@ -101,9 +101,9 @@ static int fastcmp(const fastmatch_t *fg, const void *data,
#define IS_OUT_OF_BOUNDS \
((!fg->reversed \
- ? ((type == STR_WIDE) ? ((j + fg->wlen) > len) \
- : ((j + fg->len) > len)) \
- : (j < 0)))
+ ? ((type == STR_WIDE) ? ((j + fg->wlen) >= len) \
+ : ((j + fg->len) >= len)) \
+ : (j <= 0)))
/*
* Checks whether the new position after shifting in the input string
--ReaqsoxgOBHFXBhH--
More information about the freebsd-bugs
mailing list